Ask GeekBuddy

Q: GeekBuddy! GeekBuddy! What's a 'drive-by-download' attack?

GeekBuddy says:

A 'drive-by-download' attack is a malware delivery technique that is triggered simply because the user visited a website. Traditionally, malware was only 'activated' as a result of the user proactively opening an infected file (for example, opening an email attachment or double clicking on an executable that had been downloaded from the Internet).

Unfortunately, hackers have become much more sophisticated over recent years and this level of interaction is no longer required. Malware may be served as hidden codes within a website content, served content like banners, advertisements and used as a vehicle for hacking and other cyber-crime. The simple act of visiting a site is enough to get your computer infected or your personal details stolen.

Q: What types of attack can a website launch against me?

GeekBuddy says:

The 'Drive-by-Download' Attack

'Drive-by-download' attacks occur when a visitor navigates to a site that injects malware onto the victim's PC. Crucially, these attacks are usually downloaded and run in the background in a manner that is invisible to the user - and without the user taking any conscious 'action steps' to initiate the attack. Just the act of viewing a web-page that harbors this malicious code is enough for the attack to run. The downloaded malware often initiates a buffer-overflow attack.

A buffer-overflow attack occurs when the downloaded malicious program or script deliberately sends more data to a target applications memory buffer than the buffer can handle - which can be exploited to create a back door to the system though which a hacker can gain access. The goal of most attacks is to install malware onto the compromised PC whereby the hacker can reformat the hard drive, steal sensitive user information, or even install programs that transform the machine into a zombie PC.

There are many types of buffer overflow attack, including stack attacks, heap attacks and ret2libc attacks. In each case, the goal is to destabilize or crash a computer system by deliberately causing a buffer overflow – creating the opportunity for the hacker to run malicious code and even gain control of the entire operating system. As would be expected, the applications most vulnerable to a buffer overflow attacks are those whose primary function involves Internet connectivity - such as web-browsers, e-mail clients and instant messaging applications.

Cross Site Scripting Attack
The Cross Site Scripting (XSS) attack is initiated by Malicious attackers injecting client-side script into web-pages accessed by unsuspecting users. The injected scripts enable the attacker to steal sensitive page content, session cookies, and a variety of other information maintained by the browser on user's computer. There are two types of XSS attacks:

Non Persistent:
The malicious script, passed by the attacker e.g. through the HTML forms, can place place hidden frames or deceptive links on unrelated sites in the web content of the legitimate server, and cause victims' browsers to navigate to a malicious site automatically - often completely in the background - and in such a case, the attacker can intrude into the security context and steal them from the victim's browser.

Persistent:
The malicious script, passed by the attacker e.g. through the HTML forms, is saved in the server and displayed permanently in the normal pages rendered to the visitors. This enables the attackers to hijack the transactions through the legitimate server and can steal sensitive information like authentication passwords, credit card numbers, billing information etc.

In order for a website to be safe, reliable and to ensure security to the visitors, it should be free from any of the threats listed above.

Automatically pre-screen the websites you are about to visit.There are many 'black lists' of known malicious websites that will warn you if you attempt to visit a malware site. Comodo SecureDNS offers users just such as service with its malware domain filtering feature. SecureDNS references a real-time block list (RBL) of harmful websites and will warn you whenever you attempt to access a site containing potentially threatening content. Users can set up SecureDNS as part of the CIS installation routine or can set it up as a standalone service in their browser by following the easy instructions at https://www.comodo.com/secure-dns/

If you are still suspicious, have the website checked out online.
SiteInspector is the next dimension of website security scanning. After you type in the URL of a website, SiteInspector acts as a vulnerable customer, visits the URL, analyzes the content and determines if the web content on the page is malicious. Each scan takes only a few seconds.
SiteInspector provides scan reports containing the identified malware at the end, enabling the administrator to take corrective actions and to keep the website safe and reliable. SiteInspector is available for users to try at http://siteinspector.comodo.com/queryui